Risk management

Risk management is a structured process used by an organization to deal with uncertainty that could affect its objectives. In the context of information security and ISO 27001, it is applied to information assets and related activities.

Operationally, risk management typically includes the following steps:

• Establishing context: Defining the scope, criteria, and boundaries for managing risk, such as which information assets, processes, and locations are included.
• Risk identification: Listing events, threats, vulnerabilities, and situations that could affect the confidentiality, integrity, or availability of information and related systems.
• Risk analysis: Assessing the likelihood and impact of identified risks using defined methods (qualitative, quantitative, or combined) to determine risk levels.
• Risk evaluation: Comparing analyzed risks against established risk criteria to decide which risks require treatment and which can be accepted.
• Risk treatment: Selecting and applying options such as implementing controls, modifying activities, sharing risk with third parties, or accepting risk within defined criteria.
• Risk monitoring and review: Tracking risks, controls, and treatment plans over time, reassessing them when circumstances change, and updating records.
• Communication and consultation: Exchanging information about risks and decisions with relevant stakeholders throughout the process.

Under ISO 27001, risk management is documented and repeatable, and it directly informs the selection and implementation of information security controls in the Information Security Management System (ISMS).